docker-aptly
docker-aptly copied to clipboard
Published
20 hours ago •
bryanhong
bryanhong
aptly container fails when "/" filesystem is mounted read-only
Regarding the docker-aptly container: To implement the Docker CIS security benchmark (item 5.12 in the benchmark) we need to be able to run the aptly container with read-only "/" filesystem. However, it appears aptly requires "/" to be mounted rw on container startup, or else it fails as follows:
Aug 15 14:43:41 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/']
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: gpg: fatal: can't create directory `/root/.gnupg': Read-only file system
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: secmem usage: 0/0 bytes in 0/0 blocks of pool 0/65536
Aug 15 14:43:48 tfvm docker.05b9adcea05e/bryanhong/aptly:latest[18739]: ln: failed to create symbolic link '/root/.gnupg/secring.gpg': No such file or directory
The container is run as follows:
docker run --read-only --detach=true --log-driver=syslog --name="aptly" --restart=always --env FULL_NAME="First Last" --env EMAIL_ADDRESS="[email protected]" --env GPG_PASSWORD="PickAPassword" --env HOSTNAME=tfvm --volume /var/aptly:/opt/aptly --publish 8880:80 bryanhong/aptly:latest
a) Can the aptly docker container be configured to work with read-only "/" (i.e docker run with --read-only) flag? b) If not, what are the technical reasons for this (which can be used to justify it under a security analysis)?
